[rt-users] Plugin JSGantt causes CSRF on automatically reload

[Patrick G. Stoesser]

Hello there,

on my working Debian Jessie RT I'm using the JSGantt Plugin which also
workes fine except causing a Possible cross-site request forgery on
automatic reload.

Generally, CSRF occuring were eliminated at the beginning of the
installation several months ago by setting

# Webdomain override
Set($WebDomain, '172.18.200.41');
Set($WebPort, 443);
Set($WebPath , "/rt");
Set($WebBaseURL , "https://172.18.200.41");

and today I added

# Cross-site forgery verhindern
Set(@ReferrerWhitelist, qw(172.18.200.41:443 127.0.0.1:443));

When you call Gantt Chart, everything is fine. Now I have set

#Refresh global
Set($HomePageRefreshInterval, "900");.
Set($SearchResultsRefreshInterval, "60");

so the Gantt Chart is reloaded automatically. And by the first reload
ist causes the CSRF. Then, when you resume the request manually, all
following automatically reloads work without problems.

The error message complains about a missing referrer:

> Possible cross-site request forgery
>
> RT has detected a possible cross-site request forgery for this
> request, because your browser did not supply a Referrer header. A
> malicious attacker may be trying to modify or access a search on your
> behalf. If you did not initiate this request, then you should alert
> your security team.
>
> If you really intended to visit /rt/Search/JSGantt.html and modify or
> access a search, then click here to resume your request.


After you called Gantt Chart, the URL is

<https://172.18.200.41/rt/Search/JSGantt.html?Query=Queue%20=%20%27Europe%27%20AND%20(Status%20=%20%27new%27%20OR%20Status%20=%20%27open%27%20OR%20Status%20=%20%27stalled%27)>

and after you resumed the reload request, the URL is

<https://172.18.200.41/rt/Search/JSGantt.html?CSRF_Token=88ce346e0380df0395573adec7fb20d9>

I helped myself by disabling Set($SearchResultsRefreshInterval, "60"); 
since noone uses it, but maybe anyway anyone has an advice?

Kind regards, Patrick